JwtValidator jku and kid header parameters

In elytron

Table of Contents

Overview
Issue Metadata
Requirements
- Hard Requirements
- Nice-to-Have Requirements
Test Plan

Overview

Our current JwtValidator supports only single key for validation, which makes it unusable for things like key rotation. This can be solved by supporting 'kid' and 'jku' parameters. That would enable us to use multiple keys for token validation and to use remote key endpoints to retrieve the keys.

Issue Metadata

Issue

WFCORE-3966

Dev Contacts

Martin Mazanek

QE Contacts

Affected Projects or Components

WildFly, Security

Requirements

Hard Requirements

Support 'jku' parameter - the idea is to support fetching keys from remote location using https. The only keys needed are RSA public keys for token signature validation. This will follow RFC7517. Every key will be immediately converted to RSAPublicKey right when received and that key will be cached for configurable time. Keys will be downloaded only over verified TLS connection.
Support 'kid' parameter, which can be used to distinguish between keys. This could be also used as an alias for keystores.
Add configuration for multiple named keys, that would be used when the token uses 'kid' parameter without 'jku'. Current implementation would be used for tokens with no 'kid' as a default key.

<security-realms>
...
    <token-realm name="TokenRealm">
        <jwt public-key="PEMpk" client-ssl-context="TokenRealmContext" host-name-verification-policy="ANY"/>
    </token-realm>
...
</security-realms>

<security-realms>
...
    <token-realm name="TokenRealm">
        <jwt public-key="PEMpk" client-ssl-context="TokenRealmContext" host-name-verification-policy="ANY">
            <key kid="1" public-key="PEMpk1" />
            <key kid="2" public-key="PEMpk2" />
        </jwt>
    </token-realm>
...
</security-realms>

Nice-to-Have Requirements

Ability to use kid as an alias for configured keystore.

Test Plan

Functionality tests will be included in Elytron.